titan-iac/services/keycloak/secretproviderclass.yaml

# services/keycloak/secretproviderclass.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: sso-vault
  namespace: sso
spec:
  provider: vault
  parameters:
    vaultAddress: "http://vault.vault.svc.cluster.local:8200"
    roleName: "sso"
    objects: |
      - objectName: "openldap-admin__LDAP_ADMIN_PASSWORD"
        secretPath: "kv/data/atlas/sso/openldap-admin"
        secretKey: "LDAP_ADMIN_PASSWORD"
      - objectName: "openldap-admin__LDAP_CONFIG_PASSWORD"
        secretPath: "kv/data/atlas/sso/openldap-admin"
        secretKey: "LDAP_CONFIG_PASSWORD"
      - objectName: "oauth2-proxy-oidc__client_id"
        secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc"
        secretKey: "client_id"
      - objectName: "oauth2-proxy-oidc__client_secret"
        secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc"
        secretKey: "client_secret"
      - objectName: "oauth2-proxy-oidc__cookie_secret"
        secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc"
        secretKey: "cookie_secret"
      - objectName: "harbor-pull__dockerconfigjson"
        secretPath: "kv/data/atlas/harbor-pull/sso"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: openldap-admin
      type: Opaque
      data:
        - objectName: openldap-admin__LDAP_ADMIN_PASSWORD
          key: LDAP_ADMIN_PASSWORD
        - objectName: openldap-admin__LDAP_CONFIG_PASSWORD
          key: LDAP_CONFIG_PASSWORD
    - secretName: oauth2-proxy-oidc
      type: Opaque
      data:
        - objectName: oauth2-proxy-oidc__client_id
          key: client_id
        - objectName: oauth2-proxy-oidc__client_secret
          key: client_secret
        - objectName: oauth2-proxy-oidc__cookie_secret
          key: cookie_secret
    - secretName: harbor-regcred
      type: kubernetes.io/dockerconfigjson
      data:
        - objectName: harbor-pull__dockerconfigjson
          key: .dockerconfigjson
vault: wire more services to CSI 2026-01-14 02:54:59 -03:00			`# services/keycloak/secretproviderclass.yaml`
			`apiVersion: secrets-store.csi.x-k8s.io/v1`
			`kind: SecretProviderClass`
			`metadata:`
			`name: sso-vault`
			`namespace: sso`
			`spec:`
			`provider: vault`
			`parameters:`
			`vaultAddress: "http://vault.vault.svc.cluster.local:8200"`
			`roleName: "sso"`
			`objects: \|`
			`- objectName: "openldap-admin__LDAP_ADMIN_PASSWORD"`
			`secretPath: "kv/data/atlas/sso/openldap-admin"`
			`secretKey: "LDAP_ADMIN_PASSWORD"`
			`- objectName: "openldap-admin__LDAP_CONFIG_PASSWORD"`
			`secretPath: "kv/data/atlas/sso/openldap-admin"`
			`secretKey: "LDAP_CONFIG_PASSWORD"`
vault: add remaining secret syncs 2026-01-14 06:16:42 -03:00			`- objectName: "oauth2-proxy-oidc__client_id"`
			`secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc"`
			`secretKey: "client_id"`
			`- objectName: "oauth2-proxy-oidc__client_secret"`
			`secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc"`
			`secretKey: "client_secret"`
			`- objectName: "oauth2-proxy-oidc__cookie_secret"`
			`secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc"`
			`secretKey: "cookie_secret"`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`- objectName: "harbor-pull__dockerconfigjson"`
			`secretPath: "kv/data/atlas/harbor-pull/sso"`
			`secretKey: "dockerconfigjson"`
vault: add remaining secret syncs 2026-01-14 06:16:42 -03:00			`secretObjects:`
			`- secretName: openldap-admin`
			`type: Opaque`
			`data:`
			`- objectName: openldap-admin__LDAP_ADMIN_PASSWORD`
			`key: LDAP_ADMIN_PASSWORD`
			`- objectName: openldap-admin__LDAP_CONFIG_PASSWORD`
			`key: LDAP_CONFIG_PASSWORD`
			`- secretName: oauth2-proxy-oidc`
			`type: Opaque`
			`data:`
			`- objectName: oauth2-proxy-oidc__client_id`
			`key: client_id`
			`- objectName: oauth2-proxy-oidc__client_secret`
			`key: client_secret`
			`- objectName: oauth2-proxy-oidc__cookie_secret`
			`key: cookie_secret`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`- secretName: harbor-regcred`
			`type: kubernetes.io/dockerconfigjson`
			`data:`
			`- objectName: harbor-pull__dockerconfigjson`
			`key: .dockerconfigjson`